Applications are also targets because, like host operating systems, they are susceptible to coding errors. The extent of the damage caused by application coding errors can vary from a minor “HTTP 404 File Not Found” error to something considerably worse such as a buffer overflow that provides direct interactive access to a host. Applications need to be kept up to date as much as possible. Furthermore, public domain applications and custom-developed applications should be audited to ensure that potential vulnerabilities are not introduced to the system with the installation of the software. These audits should consider the following factors:
■ Analysis of the calls that the application makes to other applications and to the operating system itself
■ The application privilege level
■ The level of trust the application has for the surrounding systems
■ The method of transport the application uses to transmit data across the network
This level of auditing is necessary to resolve potentially known vulnerabilities that would reduce the security posture of the system and the network as a whole.
Intrusion Detection Systems
Intrusion detection systems (IDSs) fall into two primary categories: network IDS (NIDSs) and host-based IDS (HIDSs). NIDSs provide an overall view of activity on a network and the capability to alert upon discovery of an attack. HIDSs excel in providing after-the-fact analysis of an attack on a host, and, with newer host-based intrusion prevention systems (IPSs), they are able to prevent an attack from succeeding by intercepting OS and application calls on the host.
All IDS require some level of adjustment, or tuning, to eliminate false positives. False positives are alarms that are triggered by activity that is benign in nature. Once the IDS has been tuned appropriately, additional mitigation techniques can then be implemented. There are two primary mitigation techniques in the Cisco IDS offerings:
■ Shunning
■ TCP resets
Shunning uses ACLs on routers and firewalls to block offending traffic from a source IP address.
You must take great care when applying this technique because a skilled attacker may use spoofed This is easily 16 times greater than the size of the target enterprise’s link to the Internet. Even if only half of the systems were able to flood at their full link capacity, the Internet link for the enterprise would still be
50 systems * 256 kbps/system + 50 systems * 128 kbps/system = 19.2 Mbps
packets in the attack to cause the IDS to add filters to the router or firewall that block legitimate traffic. To reduce this problem, it is recommended that you use shunning only against TCP traffic, because it is more difficult to spoof than UDP traffic. Additionally, use short shun times—just long enough to provide the network administrator with sufficient time to determine a more permanent course of action. Shunning is recommended on the internal network, however, for several reasons, including the assumption that effective RFC 2827 filtering is being used on the internal network and the fact that internal networks tend not to have the same level of stateful filtering as edge connections.
The second mitigation technique, TCP resets, is available only against TCP-based connections and provides for the termination of the attack by sending TCP reset packets to both the attacking and the attacked hosts. Switched environments pose some additional challenges to TCP reset, but these can be overcome by using a Switched Port Analyzer (SPAN) or mirror port.
Secure Management and Reporting
Reporting is a design fundamental that addresses the requirement to log suspicious network activity.
Additionally, it is also very important to actually read the log entries or summarize them if possible.
Without log review, it is not possible to develop a complete picture of a potential security event.
Another item addressed by this topic includes management of the various network devices in the blueprint. Unlike the SAFE Enterprise blueprint, which utilizes an out-of-band network management method whereby all management traffic traverses a network infrastructure that is separate and distinct from the production network, the SAFE SMR blueprint utilizes an in-band network management scheme. To ensure the confidentiality and integrity of the management traffic, in-band management schemes require the use of encrypted protocols such as SSH, SSL, and IPSec where possible.
For management of devices outside of a firewall, there are several considerations to take into account:
■ What management protocol does the device support?
■ Should the management channel be active at all times?
■ Is this management channel necessary?
Answering these three questions provides sufficient analysis in weighing the risks of management traffic outside of the firewall.
Syslog is the most common, supported method of reporting events on network devices. Synchronizing the time on network devices through the use of NTP further enhances the capability to correlate events from multiple devices.
Change management also represents a vital link in an overall comprehensive security policy. It is important that any changes done to network infrastructure devices be recorded and that known, good configurations be archived through the use of FTP or TFTP.
Foundation Summary 39
Foundation Summary
The “Foundation Summary” section of each chapter lists the most important facts from the chapter.
Although this section does not list every fact from the chapter that will be on your CCSP exam, a well-prepared CCSP candidate should at a minimum know all the details in each “Foundation Summary”
section before taking the exam.
The five primary axioms of SAFE are listed next along with recommendations for how to mitigate some of the attacks against them:
■ Routers are targets.
— Lock down Telnet access to routers.
— Lock down SNMP access to routers.
— Control access to routers through the use of TACACS+.
— Turn off unneeded services.
— For routing protocols, consider using an authentication method to ensure that the routing updates are valid.
■ Switches are targets.
— Always use a dedicated VLAN ID for all trunk ports.
— Avoid using VLAN 1 for management.
— Set all user ports to nontrunking mode.
— Deploy port security where possible for user ports.
— Devise a plan for the ARP security issues in your network. Enable Spanning Tree Protocol attack mitigation.
— Use private VLANs where appropriate.
— Use CDP only where appropriate.
— Disable all unused ports and put them in an unused VLAN.
— Use VTP.
— Use Layer 2 port authentication such as 802.1x.
■ Networks are targets.
— Employ RFC 1918 and RFC 2827 filtering to reduce the impact of DDoS attacks that employ IP address spoofing.
— Communicate with the ISP to ensure that it applies traffic rate limits and QoS features on the outbound link of its router.
■ Hosts are targets.
— Keep systems up to date with patches and updates.
— Turn off unnecessary services.
— Ensure users use passwords that can’t be guessed, by periodically testing them.
— Minimize access to the system by limiting user accounts to only those who need to access a given system.
— Install host-based intrusion prevention software.
■ Applications are targets.
— Analyze the calls that an application makes to other applications and to the operating system itself.
— Analyze the application privilege level.
— Identify the level of trust the application has for the surrounding systems.
— Analyze the method of transport the application uses to transmit data across the network.
— Install host-based intrusion prevention software.
Q&A 41
Q&A
As mentioned in the introduction, “All About the Cisco Certified Security Professional Certification,”
you have two choices for review questions. The questions that follow next give you a bigger challenge than the exam itself by using an open-ended question format. By reviewing now with this more difficult question format, you can exercise your memory better and prove your conceptual and factual knowledge of this chapter. The answers to these questions are found in Appendix A.
For more practice with exam-like question formats, including questions using a router simulator and multiple choice questions, use the exam engine on the CD-ROM.
1. What are some of the benefits of using a dedicated appliance for security rather than the same integrated functionality in another device?
2. What are the two significant advantages to SAFE’s use of modules in the blueprint?
3. What is the primary method that a DDoS attack uses to achieve its effects?
4. Why do hosts represent the greatest risk on a network?
5. Is it important to lock down Telnet, web, or SNMP access to devices, and if so, why?
6. What is the role of VTP in a network? What could an attacker do with VTP? How can attacks using VTP be made less likely to succeed?
7. What is 802.1x? How can it be used to improve the security of a network?
8. What are the four factors a software audit should consider when determining the security of an application?
This chapter covers the following topics:
■ SAFE Modules Overview
■ Understanding the Campus Module
■ Understanding the Corporate Internet Module
■ Understanding the WAN Module